Avaya

Modular Messaging Help

Home | Search | Site Index
Print | Back | Fwd | Legal | Close

 Getting Started 
 Installation 
 Administration 
 Maintenance 
 Reference 
Home > Getting started > Modular Messaging and security > Network security

Network security

Your network, security, and applications teams can work together to plan and manage network security. A breach of integrity is dangerous and can permit continued attacks on your system.

Locate the Modular Messaging system securely within the network. Do not connect the system directly to the Internet. Modular Messaging connects to your TCP/IP and the telephony network. Leverage the existing network security policy to protect the system from malicious activities from external and internal sources. Make protecting information and the integrity of your network a high priority. When your network is connected to the Internet, the network is exposed to various types of attacks, such as:

  • Network packet sniffers

  • IP spoofing

  • Password attacks

  • Denial of service (DOS) attacks

  • Application layer attacks

Consider the measures described in the following topics to reduce security risks when deploying the Modular Messaging system into your network.

Topics in this section include:

Internet firewall

An Internet firewall is a system or a group of systems that enforces a security barrier between your network and the Internet. The firewall determines how outside services access the inside services. The firewall also determines how inside services access the outside services. Avaya recommends that you install the Modular Messaging system on a trusted network behind your corporate firewall. When you set up a firewall server, identify the type of networks that are attached to the firewall server. Also, explicitly identify the untrusted networks from which the firewall can accept requests. Ensure that all the traffic to and from the Internet passes through the firewall.

Intrusion detection system

You can use an intrusion detection system (IDS) to detect unauthorized break-ins to your systems. Avaya recommends that you implement a network-based IDS as a secondary security system. An IDS performs the following checks:

  • Cross-checks incorrectly configured firewalls

  • Detects attacks that firewalls legitimately allow through, such as attacks against Web servers

  • Detects failed hacking attempts to get into your system

  • Detects insider hacking

Trusted server

This topic discusses trusted servers for Modular Messaging systems with Avaya Message Storage Server (MSS).

A trusted server can be a computer or a software application that has privileged access to the MSS. The server uses its own login and password to access the MSS services. The MSS verifies that the IP packets come from an administered IP address for the trusted servers. The first step in securing the system is to verify that only trusted systems work together. An example of a trusted server for Modular Messaging is Mailbox Manager (MBM). You must administer the passwords that the trusted server application requests to access the MSS. Avaya recommends that you change the trusted server passwords on a regular basis. For more information about setting up a trusted server, see "Setting up the trusted servers" in the Installation and Upgrades guide (pdf) on this CD-ROM.

Trusted server administration

When you add or edit a trusted server profile on the MSS, you can select a security level for the trusted server.

  • The lowest security level does not require encryption. The trusted server uses any security. Subscriber passwords that appear in the network conversation are encrypted automatically.

  • The middle security level is to force the use of Simple Authentication and Security Layer (SASL). The credentials that the trusted server logs in to the MSS are encrypted. Subscriber passwords are automatically encrypted.

  • The highest security level is to force the use of Secure Sockets Layer (SSL). The MSS insists that the entire communication to and from the trusted server is encrypted.

Select the security settings based on the firewall, network bandwidth, and capacity of your system.

Messaging Application Server and Message Storage Server private network security

This topic discusses the private network security for Modular Messaging systems with Avaya Messaging Application Server (MAS) and Avaya Message Storage Server (MSS).

In the Modular Messaging system, each MAS acts as a trusted server for the configuration of the MSS. All communication between the MSS and the MAS is carried over a private local area network (LAN). The system is shipped with a Layer 2 switch, which creates the private LAN.

One network interface on each server connects to the switch. To provide the highest level of security, ensure that other devices do not connect to the switch. If a customer wants to use their switch, connect the MAS and MSS to a separate Layer 3 switch over a virtual local area network (VLAN). The connection segments traffic. The connection routes traffic only between the two systems on the private LAN dedicated network interfaces. The messages in the user mailboxes are neither stored nor backed up in encrypted form. Messages are not encrypted in transit by the message retrieval protocols used between the MSS and the MAS.

All the user logins between the MAS and the MSS on the private LAN are encrypted using a challenge-and-response mechanism. User passwords, encrypted using the 3DES algorithm, are transmitted between the MAS and the MSS on the private LAN using lightweight directory access protocol ( LDAP). The MSS verifies that the LDAP connection originates from the administered IP address only.

The second network interface on the each server provides standard e-mail client access. E-mail client access is from user desktops that use industry-standard protocols such as POP3, IMAP4, and SMTP over the corporate LAN. Modular Messaging supports the SSL versions of these protocols. You can set the SSL options in the standard e-mail account options window.

Message Application Server switch integration security

During installation, Modular Messaging systems receive Avaya signed credentials. The Modular Messaging system provides encrypted Session Initiated Protocol (SIP) signaling for the voice mail domain. Only the SIP integration needs signed credentials. The system supports trusted layer security (TLS) for secure SIP signaling.

Web Services

Web Subscribers Options uses Web Services to implement Web Subscriber Options functionality. Web Services communicates with the MAS through port 82 on the MAS. The MAS uses SSL to communicate with Web Services through port 443 on the MAS.

Web Services and Microsoft Distributed Component Object Model (DCOM) encounter firewall issues. However, the Web Services firewall issues are simpler. Web Services uses one open port while DCOM requires a fixed range of open ports. Web Services does not use callbacks while the server in DCOM can start a callback to implement some functions. A callback occurs when the server starts a conversation with the client.

Microsoft Distributed Component Object Model use by Modular Messaging

Several components of Modular Messaging that run on the Windows platform use the DCOM for communication among processes. In the Modular Messaging with the MSS configuration, the following clients use DCOM to the MAS for subscriber started activities:

  • Subscriber Options

  • Outlook with the Avaya plug-ins for play and record on the telephone

  • Modular Messaging Web Client from the Web server for play and record on the telephone

When Modular Messaging uses DCOM to call between clients and the MAS services, the firewall filters DCOM calls and IP traffic.

Network security issues that can occur

Security issues can occur when you use Email (Internet Messaging) and desktop e-mail clients with the Avaya message servers. You can administer client access on your server to minimize some of these risks.

To administer Internet Messaging on the MSS:

  • On the MSS Messaging Administration menu, click Messaging Administration > System Administration.

    • You can use the fields on this page to enable or disable access to the MSS through IMAP, POP, SMTP, and LDAP. Select Yes to enable or No to disable access. For example, to enable MSS access for the Client Add-in for Microsoft Outlook, select Enabled for the IMAP4, SMTP, and LDAP fields.

The following table lists the various clients and the corresponding protocol settings needed to access the respective client. In the table, Yes means Enable this field to grant access, and No means Disable this field to block access.

 

When the
Client is
Access to the MSS using*
POP3
POP3 SSL port (default 995) **
IMAP4
IMAP4 SSL port (default 993) **
SMTP
SMTP SSL port (default 465) **
LDAP
  • Outlook Client
  • Web Client
  • IBM Lotus Notes Client
  • Advanced Speech Access
No
No
Yes
No
Yes
No
Yes
Standard IMAP4 client
No
No
Yes
No
Yes
No
Yes***
Standard IMAP4 client using SSL IMAP and SSL SMTP
No
No
No
Yes
No
Yes
Yes***
Standard POP3 client
Yes
No
No
No
Yes
No
Yes***
Standard POP3 client using SSL POP3 and SSL SMTP
No
Yes
No
No
No
Yes
Yes
Networked Modular Messaging or Message Networking system
No
No
No
No
Yes
No
Yes****
 

* You can use the System Administration page on the MSS to specify the port numbers that the Modular Messaging system uses. For example, you can deploy a custom POP3 application and configure it to use a nonstandard POP3 port to access the system.

** You can also run an SSL operation over the �regular� standard ports that use the STARTTLS command. For example, you can enable POP3 and SMTP ports and run the STARTTLS command to get an SSL operation over the standard POP3 port. Administrators must instruct subscribers to configure their e-mail clients to use STARTTLS.

*** LDAP is not necessary for mailbox access. LDAP access is required only if the client is configured to use the MSS LDAP directory as an address book.

**** This LDAP conversation occurs on nonstandard ports.

 

Privacy settings

To permit clients to use the MSS, you must administer privacy settings on the Modular Messaging servers. You can use the Restrict Client Access setting in the Class of Service (COS) to administer POP3 or IMAP4 access to the MSS. The Restrict Client Access setting is assigned to subscribers.

To change the COS setting on networked machine information:

  1. On the MSS Messaging Administration menu, click Messaging Administration > Classes-of-Service.

    2. The Manage Classes-of-Service page displays a list of COS on the system.

  2. Select a COS and click Edit the Selected COS.

    In the Restrict Client Access field, select yes or no to determine whether subscribers with this COS can access their mailboxes on standards-based clients. If the value is yes, subscribers can use Avaya proprietary clients to access their mailboxes. For example, subscribers can use the telephone user interface (TUI), Modular Messaging Web Client, and Avaya Advanced Speech Access. Subscribers cannot access the Client Add-in for Microsoft Outlook. If the value is no, subscribers can access their mailboxes from Avaya proprietary clients and other IMAP4 and POP3 clients. Subscribers can also access their mailboxes from the Client Add-in for Microsoft Outlook.

The Restrict Client Access control is overridden, and client access is restricted if the Privacy Enforcement Level (PEL) value is set to Full. The PEL setting is controlled using the Voice Mail System Configuration (VMSC) program on the MAS. To view the PEL settings, open the VMSC program on the MAS and double-click the Messaging item on the VMSC tree. For more information, see the MAS Help.

Top of page

Home | Search | Site Index | Print | Back | Fwd | Legal | Close

©2007 Avaya Inc. All rights reserved. Last modified: